cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3066
Views
0
Helpful
3
Replies

ASA 5510 VPN users with WCCP redirection

Nikos Nicolaides
Beginner
Beginner

Hi all,

We are in the process of migrating our old proxy server with an Ironport appliance. The Ironport device is located in the inside interface of the firewall.

The configuration is the following:

wccp 90 redirect-list HTTP-FILTER-ACL

wccp 120 redirect-list HTTPS-FILTER-ACL

wccp interface inside 90 redirect in

wccp interface inside 120 redirect in

access-list HTTP-FILTER-ACL extended deny ip any LSL-1st-FLOOR 255.0.0.0

access-list HTTP-FILTER-ACL extended deny ip any 172.16.0.0 255.240.0.0

access-list HTTP-FILTER-ACL extended deny ip any 192.168.0.0 255.255.0.0

access-list HTTP-FILTER-ACL extended permit tcp 172.16.0.0 255.240.0.0 any eq www

access-list HTTP-FILTER-ACL extended permit tcp LSL-1st-FLOOR 255.0.0.0 any eq www

access-list HTTP-FILTER-ACL extended permit tcp 192.168.0.0 255.255.0.0 any eq www

access-list HTTPS-FILTER-ACL extended deny ip any LSL-1st-FLOOR 255.0.0.0

access-list HTTPS-FILTER-ACL extended deny ip any 172.16.0.0 255.240.0.0

access-list HTTPS-FILTER-ACL extended deny ip any 192.168.0.0 255.255.0.0

access-list HTTPS-FILTER-ACL extended deny tcp LSL-1st-FLOOR 255.255.255.0 host 82.116.222.1 eq https

access-list HTTPS-FILTER-ACL extended permit tcp LSL-1st-FLOOR 255.0.0.0 any eq https

access-list HTTPS-FILTER-ACL extended permit tcp 192.168.0.0 255.255.0.0 any eq https

access-list HTTPS-FILTER-ACL extended permit tcp 172.16.0.0 255.240.0.0 any eq https

Everything works as expected.

Now we need to do that to our VPN users as well. Our VPN users were using a specific proxy server value in the VPN settings box like the following:

msie-proxy server value 192.168.0.216:8080

The question is: How can i make the VPN users get redirected via WCCP to the ironport appliance? Note that the VPN users come from the internet (outside interface) and the Ironoprt devices are in the inside interface.

Thanks in advance.

P.S note that split tunnelling is a security issue and we do not recommend it.

TIA, Nicos Nicolaides
1 Accepted Solution

Accepted Solutions

Adam Makovecz
Beginner
Beginner

Hi,

The only topology that the ASA supports is when client and cache engine are behind the same interface, therefore VPN is not supported.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1123521

Adam

View solution in original post

3 Replies 3

Adam Makovecz
Beginner
Beginner

Hi,

The only topology that the ASA supports is when client and cache engine are behind the same interface, therefore VPN is not supported.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1123521

Adam

OK, thanks

TIA, Nicos Nicolaides

Can't you force the VPN traffic to the inside interface?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers